Feature #2926
closedTLS offloading with mod_sockproxy
Description
Is it (easy) possible, to have SSL/TLS offloading with mod_sockproxy?
Configuring lighttpd as a reverse proxy with TLS offloading works perfect,
but if I replace the
proxy.server = ...
line with
sockproxy.server = ...
it does not decrypt the stream.
Updated by gstrauss almost 6 years ago
- Status changed from New to Wontfix
- Priority changed from Normal to Low
The forums or IRC are more appropriate "forums" for pie in the sky questions than is the issue tracker.
Is it (easy) possible, to have SSL/TLS offloading with mod_sockproxy?
Please don't ever ask if something is "easy" unless you're volunteering to do it and asking for guidance (in which case the developer forum is the place to do it)
As for possible, anything is possible, but that isn't what mod_sockproxy was designed to do (please read the doc), and there are no current plans to change what mod_sockproxy was designed to do.
Updated by gstrauss over 3 years ago
- ASK QUESTIONS IN Forums set to No
Is it (easy) possible, to have SSL/TLS offloading with mod_sockproxy?
Update: someone posted on IRC #lighttpd (irc.libera.chat) that this works for them with mod_sockproxy and mod_openssl, so perhaps this now works with a more recent version of lighttpd (than when this question was originally posted (Jan 2019)).
Updated by gstrauss over 3 years ago
Separately, I would like to apologize for the previous rude response.
Updated by flynn over 3 years ago
I tried again and it works now for me too.
Maybe I missed to enable the ssl-engine inside the the $SERVER["socket"]
section two years ago ...
An equivalent to $HTTP["host"]
would be very usefull, to switch between with SNI by the client requested host names.
Updated by gstrauss over 3 years ago
- Category set to TLS
- Status changed from Wontfix to Fixed
See also feature request #3081
FYI: If your non-HTTP TLS client provides SNI, #3081 suggests that lighttpd might reject the connection due to ALPN mismatch with the HTTP-specific ALPNs offered by lighttpd.
(It should not be surprising that a server named "lighttpd" with an "httpd" suffix currently provides HTTP-specific ALPNs.)
Also available in: Atom